Commit Graph

6636 Commits

Author SHA1 Message Date
Alex
0d9fae4c3a
Build: Limit permissions for GitHub workflows
Add explicit permissions section[^1] to workflows. This is a security
best practice because by default workflows run with extended set
of permissions[^2] (except from `on: pull_request` from external forks[^3].
By specifying any permission explicitly all others are set to none. By using
the principle of least privilege the damage a compromised workflow can do
(because of an injection[^4] or compromised third party tool or action) is
restricted. It is recommended to have most strict permissions on the top
level[^5] and grant write permissions on job level[^6] on a case by case
basis.

[^1]: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
[^2]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
[^3]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
[^4]: https://securitylab.github.com/research/github-actions-untrusted-input/
[^5]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
[^6]: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Closes gh-5119

(cherry picked from commit c909d6b1ff)
2022-12-01 14:27:11 +01:00
Michał Gołębiowski-Owczarek
f4809f9b4a
Build: Test on Node.js 18 & 19, stop testing on Node 12
Closes gh-5161
2022-11-17 13:22:38 +01:00
Michał Gołębiowski-Owczarek
5318e3111a Selector:Manipulation: Fix DOM manip within template contents
The `<template/>` element `contents` property is a document fragment that may
have a `null` `documentElement`. In Safari 16 this happens in more cases due
to recent spec changes - in particular, even if that document fragment is
explicitly adopted into an outer document. We're testing both of those cases
now.

The crash used to happen in `jQuery.contains` which is an alias for
`Sizzle.contains` in jQuery 3.x.

The Sizzle fix is at jquery/sizzle#490, released in Sizzle `2.3.8`. This
version of Sizzle is included in the parent commit.

A fix similar to the one from gh-5158 has also been applied here to the
`selector-native` version.

Fixes gh-5147
Closes gh-5159
Ref jquery/sizzle#490
Ref gh-5158
2022-11-16 23:58:17 +01:00
Michał Gołębiowski-Owczarek
a1b7ae3b3f Selector: Update Sizzle from 2.3.7 to 2.3.8
Fixes gh-5147
Ref gh-5158
Ref jquery/sizzle#490
2022-11-16 23:58:17 +01:00
dependabot[bot]
28241b7f92 Build: Bump actions/setup-node from 3.5.0 to 3.5.1
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.5.0 to 3.5.1.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3.5.0...v3.5.1)

Closes gh-5153

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 0208224b5b)
2022-11-01 20:59:39 +01:00
Michał Gołębiowski-Owczarek
ee0fec052b
Selector: Update Sizzle from 2.3.6 to 2.3.7
Fixes gh-5098
Closes gh-5135
Ref jquery/sizzle#486
Ref gh-5107
2022-10-04 18:02:52 +02:00
Michał Gołębiowski-Owczarek
ed02835585 Build: Update Grunt from 1.4.1 to 1.5.3
This will resolve the following security issues:
* Path Traversal in Grunt: https://github.com/advisories/GHSA-j383-35pm-c5h4
* Race Condition in Grunt: https://github.com/advisories/GHSA-rm36-94g8-835r

Closes gh-5134

(cherry picked from commit aa231cd214)
2022-10-03 23:08:08 +02:00
Michał Gołębiowski-Owczarek
76edd26ebb Docs: Update the README of the published package
The previous details were showing their age, e.g. mentions about browsers
not supporting ES2015. The story with ES modules is more complex as it's also
about loaders but to keep the README simple, let's just make it more up to date
with typical usage.

Closes gh-5108

(cherry picked from commit edccabf10d)
2022-10-03 22:56:17 +02:00
Michał Gołębiowski-Owczarek
965391ab93 Tests: Remove a workaround for a Firefox XML parsing issue
Firefox 96-100 used to report the column number smaller by 2 than it should
in the `parsererror` element generated for invalid XML documents. Since that
version range is unsupported now and it includes no ESR versions, the workaround
can now be dropped.

Closes gh-5109
Ref gh-5018

(cherry picked from commit e7ffe1f135)
2022-10-03 22:54:18 +02:00
Michał Gołębiowski-Owczarek
8bea1dec18 CSS: Return undefined for whitespace-only CSS variable values (#5120)
The spec requires that CSS variable values are trimmed. In browsers that do
this - mainly, Safari, but also Firefox if the value only has leading
whitespace - we currently return undefined; in other browsers, we return
an empty string as the logic to fall back to undefined happens before
trimming.

This commit adds another explicit callback to `undefined` to have it consistent
across browsers.

Also, more explicit comments about behaviors we need to work around in various
browsers have been added.

Closes gh-5120
Ref gh-5106

(cherry picked from commit 7eb0019640)
2022-10-03 22:45:52 +02:00
dependabot[bot]
9eb47cceba Build: Bump actions/setup-node from 3.4.1 to 3.5.0
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.4.1 to 3.5.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3.4.1...v3.5.0)

Closes gh-5133

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 25400750fb)
2022-10-03 16:59:45 +02:00
Michał Gołębiowski-Owczarek
d051e0e3a2
Tests: Make Ajax tests pass in iOS 9
Accept "HTTP/2.0 200" as a valid `statusText` for successful requests
to make ajax tests pass in iOS 9. At this point, normalizing this in code
doesn't seem to make a lot of sense.

Closes gh-5121
2022-09-21 17:46:18 +02:00
Anders Kaseorg
c0db6d7032 CSS: Don’t trim whitespace of undefined custom property
Fixes gh-5105
Closes gh-5106

Signed-off-by: Anders Kaseorg <andersk@mit.edu>

(cherry picked from commit ed306c0261)
2022-09-19 23:20:14 +02:00
dependabot[bot]
f14064cabf Upgrade: Bump actions/setup-node from 3.3.0 to 3.4.1
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.3.0 to 3.4.1.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3.3.0...v3.4.1)

Closes gh-5078

(cherry picked from commit 78321f078c)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-09-12 15:47:46 +02:00
Timmy Willison
8f6136fc70
Build: Updating the 3.x-stable version to 3.6.2-pre. 2022-08-26 13:54:28 -04:00
Timmy Willison
ba2665f3cd
Release: update AUTHORS.txt 2022-08-15 11:54:39 -04:00
Vladimir Sitnikov
699401008f
Deprecated: Improve $.trim performance for strings with lots of whitespace
Regex imp implementation takes `O(N^2)` time to trim the string when
multiple adjacent spaces were present.

The new expression require that the "whitespace run" starts from
a non-whitespace to avoid `O(N^2)` behavior when the engine would
try matching `\s+$` at each space position.

Closes gh-5068
2022-07-20 10:51:13 +02:00
Simon Legner
410d5cf0c3 Docs: Update webpack website in README
Webpack has migrated to https://webpack.js.org/ since version 2.

Closes gh-5037

(cherry picked from commit 01819bc3bc)
2022-07-12 17:17:18 +02:00
Michał Gołębiowski-Owczarek
bc16512879
Tests: Exclude tests based on compilation flags, not API presence (3.x version)
Introduces a new test API, `includesModule`. The method returns whether
a particular module like "ajax" or "deprecated" is included in the current
jQuery build; it handles the slim build as well. The util was created so that
we don't treat presence of particular APIs to decide whether to run a test as
then if we accidentally remove an API, the tests would still not fail.

Closes gh-5071
Fixes gh-5069
Ref gh-5046

(partially cherry picked from commit fae5fee8b4)
2022-07-12 17:12:27 +02:00
Michał Gołębiowski-Owczarek
0f6c3d9efc Build: Update GitHub Actions
* Build(deps): Bump actions/cache from 2 to 3

Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

* Build(deps): Bump actions/setup-node from 2.1.2 to 3.3.0

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 2.1.2 to 3.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v2.1.2...v3.3.0)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
...

* Build(deps): Bump actions/checkout from 2 to 3

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Closes gh-5067

(cherry picked from commit 52f452b2e8)
2022-06-27 18:59:57 +02:00
Christian Oliff
5a363017cf Build: Add dependabot.yml config (GitHub Actions)
This makes dependabot issue automated PRs to update
GitHub Action versions monthly.

Closes gh-5057

(cherry picked from commit 3f8bb2a46d)
2022-06-27 18:34:50 +02:00
Michał Gołębiowski-Owczarek
9bc0df70be Build: Test on Node 17, update Grunt & karma-* packages
This adds testing on Node.js 17 in addition to the currently tested 10, 12, 14
and 16 versions.

Also, update Grunt & `karma-*` packages.

Testing in Karma on jsdom is broken in Node 17 at the moment; until we find
a fix, this change disables such testing on Node 17 or newer.

Node smoke tests & promises aplus tests are disabled on Node.js 10 as they
depend on jsdom and the latest jsdom version doesn't run properly on Node 10.

Closes gh-5023

(cherry picked from commit 2525cffc42)
2022-03-14 18:31:49 +01:00
Michał Gołębiowski-Owczarek
be3bd560f4 Tests: Workaround an XML parsing bug in Firefox
See https://bugzilla.mozilla.org/show_bug.cgi?id=1751796

Closes gh-5018

(cherry picked from commit af1cd6f218)
2022-02-28 18:28:14 +01:00
Timmy Willison
b24e83bd9d
Docs: add link to preview the new CLAs
Closes gh-5010
2022-02-07 17:09:55 +00:00
Michał Gołębiowski-Owczarek
9b34bdb1c3 CSS: Skip falsy values in addClass( array ), compress code
This change makes jQuery skip falsy values in `addClass( array )`
& `removeClass( array )` instead of stopping iteration when the first falsy
value is detected. This makes code like:
```js
elem.addClass( [ "a", "", "b" ] );
```
add both the `a` & `b` classes.

The code was also optimized for size a bit so it doesn't increase the
minified gzipped size.

Fixes gh-4998
Closes gh-5003

(partially cherry picked from commit a338b407f2)
2022-01-25 00:35:50 +01:00
Michał Gołębiowski-Owczarek
95e34b6955
Docs: Replace #NUMBER Trac issue references with trac-NUMBER
This is a version of gh-4993 for the `3.x-stable` branch.

The GitHub UI treats `#NUMBER` as referring to its own issues which is confusing
when in jQuery source it's usually referring to the old deprecated Trac instance
at https://bugs.jquery.com. This change replaces all such Trac references with
`trac-NUMBER`.

A few of the references came with the Sizzle integration and referred to the
Sizzle GitHub bug tracker. Those have been replaced with full links instead.

A new entry describing issue reference conventions has been added to README.

Closes gh-4994
Ref gh-4993
Ref 5d5ea01511
2022-01-12 23:23:10 +01:00
Timmy Willison
fa70e8fd3c
Tests: lock colors version to 1.4.0 2022-01-10 15:40:24 -05:00
Timmy Willison
c3c4d20736
Docs: remove expired links from old jquery source
Ref gh-4981
Ref gh-4991
2022-01-07 12:41:21 -05:00
Michał Gołębiowski-Owczarek
4b0d8900ec Docs: Remove links to Web Archive from source
Neither of the removed links is crucial; one of them refers to a site that has
since started being malicious; while the Web Archive links remain safe, some
scanners warn about such links. Removing them is the safest thing to do.

Fixes gh-4981
Closes gh-4991

(cherry picked from commit e24f2dcf3f)
2022-01-04 16:36:20 +01:00
Michał Gołębiowski-Owczarek
cb35067f1b Build: Separate the install step from running tests in GitHub Actions
Also, update the "Run test" label to "Run tests".

Closes gh-4992

(cherry picked from commit eef972508c)
2022-01-04 16:34:40 +01:00
Richard Gibson
a1373e2e4f CSS: Justify use of rtrim on CSS property values
CSS does not acknowledge carriage return or form feed characters
as whitespace but it does replace them with whitespace, making it
acceptable to use `rtrim`.

Closes gh-4956

(cherry picked from commit 655c0ed5e2)
2022-01-03 14:07:49 +01:00
Timmy Willison
5566988359
Build: remove travis.yml and travis mentions from core (#4984)
We've migrate jquery core to GH actions and have already disabled core builds on travis
2021-12-13 12:22:34 -05:00
Michał Gołębiowski-Owczarek
81fa1e2ae9 Tests: Skip ETag AJAX tests on TestSwarm
TestSwarm is now proxied via Cloudflare which cuts out headers relevant for
ETag tests, failing them. We're still running those tests in Karma on Chrome
& Firefox (including Firefox ESR).

Closes gh-4974

(cherry picked from commit 00c060d161)
2021-12-01 13:25:52 +01:00
Michał Gołębiowski-Owczarek
7439e221c0 Tests: Allow statusText to be "success" in AJAX tests
In HTTP/2, status message is not supported and whatever is reported as
statusText differs between browsers. In Chrome & Safari it's "success", in
Firefox & IE it's "OK". So far "success" wasn't allowed. This made the tests
pass locally if you're running an HTTP/1.1 server but on TestSwarm which is
now proxied via an HTTP/2-equipped Cloudflare, the relevant test started failing
in Chrome & Safari.

Allow "success" to resolve the issue.

Closes gh-4973

(cherry picked from commit 19ced963c6)
2021-12-01 13:25:43 +01:00
ygj6
b39cfa1505 Build: Migrate CI to GitHub Actions
Closes gh-4800

(cherry picked from commit e23190e63c)
2021-12-01 00:03:59 +01:00
Michał Gołębiowski-Owczarek
4bb7d069ca Docs: Update the URL to the latest jQuery build in CONTRIBUTING.md
It used to say https://code.jquery.com/jquery.js but that's a frozen URL
to jQuery 1.11.1. Let's switch that to the URL to the Git build, i.e.
https://releases.jquery.com/git/jquery-git.js.

Closes gh-4972

(cherry picked from commit 9bdb16cd19)
2021-11-18 22:56:32 +01:00
Michał Gołębiowski-Owczarek
e9f77267d0
Tests: Disable CSS Custom Properties tests in old Safari/iOS
Safari 9.1 & iOS 9.3 support CSS custom properties but that support
is buggy which crashes our tests. Disable those tests there.

See https://caniuse.com/css-variables

Closes gh-4966
2021-11-15 18:40:58 +01:00
Michał Gołębiowski-Owczarek
a51eec7484 Tests: Make Karma browser timeout larger than the QUnit one
Since the default Karma browser no activity timeout was lower than the QUnit
timeout, a single timing out test was interrupting the whole test run of
a browser.

The QUnit timeout is set to 1 minute so I set the Karma one to 2 minutes.

Closes gh-4943

(cherry picked from commit 4fd6912bfd)
2021-10-30 00:57:20 +02:00
Michał Gołębiowski-Owczarek
509eeb892c CSS: Remove a redundant extension from rtrimCSS inclusion in curCSS
This breaks the AMD mode.
2021-10-19 00:31:49 +02:00
fecore1
219ccf5c5f CSS: Trim whitespace surrounding CSS Custom Properties values
The spec has recently changed and CSS Custom Properties values are trimmed now.
This change makes jQuery polyfill that new behavior for all browsers.

Ref w3c/csswg-drafts#774
Fixes gh-4926
Closes gh-4930

(partially cherry picked from commit efadfe991a)
2021-10-18 22:43:59 +02:00
Michał Gołębiowski-Owczarek
934064905c Docs: Remove the CLA checkbox in the pull request template
The EasyCLA status check is required so this won't get missed. The old JSF CLA
is dead, the provided link doesn't return meaningful information. There's no
good replacement link for the old CLA; PR authors are just supposed to sign the
new CLA by clicking on a link posted by the EasyCLA bot when they submit their
first PR since EasyCLA was enabled for the repo.

Closes gh-4937

(cherry picked from commit e124893132)
2021-10-18 18:09:37 +02:00
Michał Gołębiowski-Owczarek
ba81326ffd Tests: Don't remove csp.log in the cspClean action of mock.php
For some reason the current setup worked fine with Apache but broke for me when
I migrated to nginx.

Closes gh-4936

(cherry picked from commit 1019074f7b)
2021-09-30 00:31:27 +02:00
Michał Gołębiowski-Owczarek
f6f0720472 Tests: Load the TestSwarm listener via HTTPS
(cherry picked from commit d225639a8e)
2021-09-29 17:19:37 +02:00
Michał Gołębiowski-Owczarek
924b515dd3
Manipulation: Don't remove HTML comments from scripts
When evaluating scripts, jQuery strips out the possible wrapping HTML comment
and a CDATA section. However, all supported browsers are already doing that
when loading JS via appending a script tag to the DOM which is how we've been
doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g.
it just stripped the `<!--` and `-->` markers, respectively at the beginning or
the end of the script contents. However, browsers are also stripping everything
following those markers in the same line, treating them as single-line comments
delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead
of fixing the jQuery logic, just let the browser do its thing.

We still need to strip CDATA sections for backwards compatibility. This
shouldn't be needed as in XML documents they're already not visible when
inspecting element contents and in HTML documents they have no meaning but
we're preserving that logic for backwards compatibility. This will be removed
completely in 4.0.

Fixes gh-4904
Closes gh-4905
Ref gh-4906
2021-07-19 19:15:27 +02:00
Michał Gołębiowski-Owczarek
f12cac6075 Build: Test on Node.js 16 instead of 15
Node.js 10 is kept for now despite being EOL'd as that's what our current
infrastructure relies on.

Closes gh-4902

(cherry picked from commit 0f623fdc8d)
2021-07-12 18:36:25 +02:00
Timo Tijhof
8d20cb9732 Tests: Switch background image from online file to local 1x1.jpg
Also, remove unused `expected` property in `css` test cases.

Closes gh-4866

(cherry picked from commit 482f846203)
2021-05-24 18:30:54 +02:00
Michał Gołębiowski-Owczarek
b3e4a7eb16 Event: Don't break focus triggering after .on(focus).off(focus)
The `_default` function in the special event settings for focus/blur has
always returned `true` since gh-4813 as the event was already being fired
from `leverageNative`. However, that only works if there's an active handler
on that element; this made a quick consecutive call:

```js
elem.on( "focus", function() {} ).off( "focus" );
```

make subsequent `.trigger( "focus" )` calls to not do any triggering.

The solution, already used in a similar `_default` method for the `click` event,
is to check for the `dataPriv` entry on the element for the focus event
(similarly for blur).

Fixes gh-4867
Closes gh-4885

(cherry picked from commit e539bac79e)
2021-05-10 19:13:25 +02:00
Michał Gołębiowski-Owczarek
752b8981f8 Build: Take core-js from the external directory as well
All the other files were already taken from the external directory.
The fact core-js was taken from node_modules broke IE core tests on TestSwarm.

Ref gh-4865
Ref gh-4870

(partially cherry picked from 345cd22e56)
2021-04-14 01:47:38 +02:00
Michał Gołębiowski-Owczarek
b14b62c8a2 Tests: Strip untypical callback parameter characters from mock.php
Only allow alphanumeric characters & underscores for callback parameters.
The change is done both for the PHP server as well as the Node.js-based version.
This is only test code so we're not fixing any security issue but it happens
often enough that the whole jQuery repository directory structure is deployed
onto the server with PHP enabled that it makes is easy to introduce security
issues if this cleanup is not done.

Ref gh-4764
Closes gh-4871

(cherry picked from a70274632d)
2021-04-13 22:36:19 +02:00
Timmy Willison
3642471ec5
Build: Updating the 3.x-stable version to 3.6.1-pre. 2021-03-02 12:12:18 -05:00